We have been recently notified that a flaw in out installation procedure that causes the disclosure of the Kerberos master key to anonymous users directly searching the LDAP server.
Note: the master Kerberos password is used to encrypt keys. This flaw does not lead to individual keys being exposed.
The disclosure itself can be fixed by applying a simple ACI. Of course once exposed a secret cannot be trusted anymore. To address this issue we have developed a set of tools that can be used to operate master key change.
Please carefully follow the instructions to fix your existing installations.
To fully resolve this problem, you need to manually perform the following steps after installing the updated packages:
Disclaimer: The following procedure performs critical, low-level operations on your IPA system, and it is imperative that you back up your system before carrying out any of the following steps. A failure during this procedure may compromise the readability of all or part of your Kerberos keys.
1. Upgrade all of your servers to the freeipa-1.1.1 (or later) code and restart the dirsrv service on all of them. No other daemon needs to be restarted at this stage.
2. On one master server, run the following tool as root:
# /usr/sbin/ipa-fix-CVE-2008-3274 --check
This should report that the system is vulnerable.
3. On the same master server, run the following tool as root:
# /usr/sbin/ipa-fix-CVE-2008-3274 --fix
This should dump all Kerberos principals, reload them, and then return a message stating that the operation completed successfully.
This step should also create a .gpg file symmetrically-encrypted with the Directory Manager password. This file contains a backup of all Kerberos key material and is written to /var/lib/ipa/.
Attention: DO NOT RUN THIS COMMAND ON ANY OTHER SERVER. See the next step.
4. On all other IPA servers, run the following tool as root:
# /usr/sbin/ipa-fix-CVE-2008-3274 --fix-replica
This will report that the system is NOT vulnerable and will then download the master key for the local KDC instance. This command will restart the krb5kdc service.
If the command reports a system as anything other than not vulnerable, verify that replication between masters is working correctly. The procedure will not successfully complete until replication failures are addressed.
The pacthes used to create this release are available though our git repository: http://git.fedorahosted.org/git/freeipa.git/?p=freeipa.git;a=shortlog;h=refs/heads/ipa-1-1
The ipa-1-1 has been created and release-1-1-1 is the tag used to generate the source tarball.
The 3 most important patches are:
- Add script to simplify operations to fix CVE 2008 3274... [commit id :38ad21f75728c2bb0d8a9c9e578eba7cb2ed0b16]
- CVE 2008 3274 related fixes [commit id: 9932887f2af38b9701efec27707648c026ec445c]
- Add a tool to change the kerberos Master Key in case... [commit id: af06a9fe128038aad03c5bee1b9f91404374da61]
Other patches where necessary dependencies and can be examined on our public git tree following the link above.